Data Loss Prevention (DLP) involves computer and information security, where DLP systems identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage). Typically, a DLP system creates fingerprints of confidential information that requires protection and uses the fingerprints to detect the presence of confidential information in various files, messages and the like. Confidential information may be stored in a structured form such as a database, spreadsheet, etc., and may include, for example, customer data, employee data, patient data, pricing data, etc. In addition, the confidential information may include unstructured data such as design plans, source code, financial reports, etc.
Many organizations store large amounts of confidential information in files that are accessible to users within the organization. Since access to this data is essential to the job function of many users within the organization, there are many possibilities for theft or accidental distribution of this confidential information. Theft or benign inadvertent disclosure of confidential information represents a significant business risk in terms of the value of the intellectual property and compliance with corporate policies, as well as the legal liabilities related to government regulatory compliance.
Organizations may also offer one or more cloud services to users over a network (e.g., the Internet). The cloud services may include computation, software, data access, storage services, etc. that physically reside elsewhere (e.g., another computer or the organizations data center) which users can access from their own computer or device over the network. Since confidential information may be sent to or received from these cloud services, corporate policy may limit access to cloud services depending on the user, device, network, etc.
The DLP system may include a single sign on (SSO) solution, that enables a user to access multiple cloud services (e.g., both private cloud services and public cloud services), using a single set of identification credentials. The SSO solution may use a password vault to manage the various individual passwords for different cloud services. Conventionally, ownership of the password vault typically belongs to either the user (e.g., an employee) or to the organization (e.g., the employer, a corporation). In a true converged SSO scenario (i.e., one end-user sign-on for both personal and work services from any device), this leads to challenges when access to work services needs to be added, revoked, changed, or carried forward when there is a change in employment status. In addition, to force cloud service access to a common cloud access broker, employers may want to hide credentials such that the user cannot use the credentials outside the particular broker. There are currently no provisions for employers to provide or supply masked credentials in employee owned password vaults.